b'( t\xc2\xad\n"+\n  \'+\n   .ll\'\'\'\xef\xbf\xbd\xef\xbf\xbdJG\n~""~i"avic..."..\n                         DEPARTMENT OF HEALTH &.\n                         DEPARTMENT           &.HUMAN\n                                                 HUMAN SERVICES\n                                                       SERVICES                                                        Offce of\n                                                                                                                       Office of Inspector\n                                                                                                                                 Inspector General\n\n                                                                                                                       Washington,\n                                                                                                                       Washington, D.C.\n                                                                                                                                           General\n\n                                                                                                                                   D.C. 20201\n                                                                                                                                         20201\n\n\n\n\n                                                                      SEP\n                                                                      SEP -- 9 2008\n                                                                             9 2008\n\n\n\n\n             TO:\n             TO:                Kerry Weems\n                                Kerry Weems\n                                Acting Administrator\n                                Acting  Administrator\n                                Centers for\n                                Centers for Medicare\n                                            Medicare && Medicaid Services\n\n\n             FROM:                  Levinson~\n                                Daniel         ~. ~\n                                       R. Levinson\xc3\x85.\n                                Daniel R.            \xc3\x9f. ~\n                                Inspector General\n                                Inspector\n\n\n             SUBJECT:           Review of Medicare Contractor Information Security Program Evaluations for\n                                Fiscal Year 2005 (A-18-06-02600)\n\n\n             The attached final report presents the results of                of our Medicare Contractor Information Security\n             Program evaluations for fiscal year (FY)               (FY) 2005.\n                                                                          2005. Our\n                                                                                 Our objectives\n                                                                                      objectives were to\n                                                                                                       to (1) assess the scope and\n             sufficiency\n             sufficiency of \n   of Medicare contractor information security program evaluations and data center\n             technical assessments\n             techncal assessments and (2) report and    (2) ofreport the results of those evaluations and assessments.\n                                                 the results\n\n\n\n\n            The Medicare Prescription Drug, Improvement, and Modernization Act of                                  of 2003 added\n            information\n            information security security requirements\n                                                requirements for Medicare fiscal intermediares  intermediaries and\n                                                                                                                and carrers\n                                                                                                                    carriers to\n                                                                                                                             to section\n                                                                                                                                section\n             1874A ofthe\n             1874A        ofthe Social SecuritySecurity Act   Act (the\n                                                                     (theAct)Act)(42 (42U.S.c.\n                                                                                          D.S.C.\xc2\xa7\xc2\xa71395kk:-l).\n                                                                                                     1395kk-l). These\n                                                                                                                These contractors\n                                                                                                                       contractorsprocess\n                                                                                                                                    process\n            and pay Medicare fee-for-service claims. Pursuant to section 1874A(e) of the Act, each\n            and pay  Medicare fee-for-service  claims. Pursuant to section 1874A(e) of\n\n\n            Medicare contractor must have                have itsits information\n                                                                      information security\n                                                                                         securityprogram\n                                                                                                   programevaluated\n                                                                                                            evaluatedannually\n                                                                                                                       anually by an\n            independent entity. Section        Section 1874A(e) requires that these evaluations address the eight major\n                                                           1874A(e)        requires     that these  evaluations address\n            requirements enumerated in the Federal                 Federal Information\n                                                                               Information Security\n                                                                                               Securty Management Act (FISMA).\n                                                                                                                           (FISMA). (See\n                                                                                                                                       (See\n            44 U.S.C. \xc2\xa7 3544(b).) To comply with this provision, the Centers for Medicare & Medicaid\n            44 U.S.C.  \xc2\xa7 3544(b).) To comply \n\n\n            Services (CMS) contracted with PricewaterhouseCoopers to evaluate information security\n            programs\n            programs  at \n    at the intermediaries and carrers        carriersusingusingaaset\n                                                                                             setof\n                                                                                                ofagreed-upon\n                                                                                                    agreed-upon procedures.\n                                                                                                                 procedures.\n\n            Section I 874A(e)\n             Section i    874A(e)    also requires\n                               also requires               of \n evaluation of the information security controls for a subset of\n                                             an evaluation an\n\n            systems but does not specify the criteria for these evaluations. To              To satisfy\n                                                                                                 satisfythese\n                                                                                                         these requirements,\n                                                                                                               requirements,\n            CMS contracted\n                      contracted with\n                                    withJANUSJANS Associates,          Inc. (JANS),   to perform  technical  assessments.\n                                                         Associates, Inc. (JANUS), to perform technical assessments.\n            Subsequently, CMS developed  developed aa vulnerability\n                                                             vulnerability testing\n                                                                            testing methodology\n                                                                                    methodology for the\n                                                                                                      the assessments\n                                                                                                           assessments to\n                                                                                                                       to test\n                                                                                                                          test\n            segments of\n            segments of \n    the  claims      processing        systems at Medicare   data centers. Data  centers operate the\n                                                                                           centers. Data centers operate the\n            computer\n            computer systems\n                           systems that\n                                      that process\n                                             process and  and paypay Medicare\n                                                                     Medicare claims.\n                                                                                claims.\n\n            Section\n            Section       1874A(e)\n                    1874A(e)              further\n                             further requires         requires\n                                              the Inspector General,the   Inspector\n                                                                     Departent of   General, Department ofHealth\n                                                                                                              Health and\n                                                                                                                     and Human\n                                                                                                                          Human\n            Services,\n            Services, to submit to Congress annual reports on the results of these evaluations, as well\n                            to  submit      to  Congress       annual      reports on the results of these evaluations, as well as\n                                                                                                                                as their\n                                                                                                                                    their\n            scope\n            scope      and sufficiency.\n                  and suffciency.                 This\n                                  This report fulfills thatreport    fulfills that responsibility for\n                                                            responsibility                        for FY\n                                                                                                      FY 2005.\n                                                                                                          2005.\n\x0cPage 2 \xe2\x80\x93 Kerry Weems\n\n\nThe scope and sufficiency of the contractor information security program evaluations performed\nby PricewaterhouseCoopers adequately encompassed the eight FISMA requirements referenced\nin section 1874A(e)(1). While CMS\xe2\x80\x99s contract with JANUS provided for the planning,\ndevelopment, and implementation of a comprehensive program to perform security testing, we\ncould not determine the scope or sufficiency of the work for the data center technical\nassessments because we could not determine the extent of JANUS\xe2\x80\x99s work.\n\nWe recommend that CMS review contractor documentation related to future data center\ntechnical assessments and ensure that contractor documentation complies with CMS contractual\nrequirements. At a minimum, this should include a review of test plans to ensure that appointed\ncontractors have specified the testing procedures to be performed and a review of contractor\nworking papers to verify that reported weaknesses have been adequately supported, identified,\nand included in the technical assessment reports.\n\nIn written comments to our draft report, CMS concurred with our recommendation. CMS\nactions planned or taken should improve the effectiveness of information security controls\nmaintained by contractors that determine and make Medicare claims payments. CMS also\nprovided clarifying information on technical issues that we used to modify our report where\nappropriate.\n\nPursuant to the principles of the Freedom of Information Act, 5 U.S.C. \xc2\xa7 552, as amended by\nPublic Law 104-231, Office of Inspector General reports are made available to the public to the\nextent the information is not subject to exemptions in the Act (45 CFR part 5). Accordingly, this\nreport will be posted on the Internet at http://oig.hhs.gov.\n\nPlease send us your final management decision, including any action plan, as appropriate, within\n60 days. If you have any questions or comments about this report, please do not hesitate to call\nme, or have your staff contact Lori S. Pilcher, Assistant Inspector General for Grants, Internal\nActivities, and Information Technology Audits at (202) 619-1175 or through e-mail at\nLori.Pilcher@oig.hhs.gov. Please refer to report number A-18-06-02600 in all correspondence.\n\n\nAttachment\n\x0cDepartment of Health and Human Services\n             OFFICE OF\n        INSPECTOR GENERAL\n\n\n\n\n    REVIEW OF MEDICARE\n CONTRACTOR INFORMATION\n     SECURITY PROGRAM\nEVALUATIONS FOR FISCAL YEAR\n           2005\n\n\n\n\n                    Daniel R. Levinson\n                     Inspector General\n\n                     September 2008\n                      A-18-06-02600\n\x0c                    Office of Inspector General\n                                      http://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as\namended, is to protect the integrity of the Department of Health and Human Services (HHS)\nprograms, as well as the health and welfare of beneficiaries served by those programs. This\nstatutory mission is carried out through a nationwide network of audits, investigations, and\ninspections conducted by the following operating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting\naudits with its own audit resources or by overseeing audit work done by others. Audits examine\nthe performance of HHS programs and/or its grantees and contractors in carrying out their\nrespective responsibilities and are intended to provide independent assessments of HHS\nprograms and operations. These assessments help reduce waste, abuse, and mismanagement and\npromote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS,\nCongress, and the public with timely, useful, and reliable information on significant issues.\nThese evaluations focus on preventing fraud, waste, or abuse and promoting economy,\nefficiency, and effectiveness of departmental programs. To promote impact, OEI reports also\npresent practical recommendations for improving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of\nfraud and misconduct related to HHS programs, operations, and beneficiaries. With\ninvestigators working in all 50 States and the District of Columbia, OI utilizes its resources by\nactively coordinating with the Department of Justice and other Federal, State, and local law\nenforcement authorities. The investigative efforts of OI often lead to criminal convictions,\nadministrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG,\nrendering advice and opinions on HHS programs and operations and providing all legal support\nfor OIG\xe2\x80\x99s internal operations. OCIG represents OIG in all civil and administrative fraud and\nabuse cases involving HHS programs, including False Claims Act, program exclusion, and civil\nmonetary penalty cases. In connection with these cases, OCIG also negotiates and monitors\ncorporate integrity agreements. OCIG renders advisory opinions, issues compliance program\nguidance, publishes fraud alerts, and provides other guidance to the health care industry\nconcerning the anti-kickback statute and other OIG enforcement authorities.\n\x0c                           Notices\n\n\n\n       THIS REPORT IS AVAILABLE TO THE PUBLIC\n                 at http://oig.hhs.gov\n\nPursuant to the principles of the Freedom of Information Act, 5 U.S.C.\n\xc2\xa7 552, as amended by Public Law 104-231, Office of Inspector General\nreports generally are made available to the public to the extent the\ninformation is not subject to exemptions in the Act (45 CFR part 5).\n\n OFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\nThe designation of financial or management practices as questionable, a\nrecommendation for the disallowance of costs incurred or claimed, and\nany other conclusions and recommendations in this report represent the\nfindings and opinions of OAS. Authorized officials of the HHS operating\ndivisions will make final determination on these matters.\n\x0c                                   EXECUTIVE SUMMARY\n\nBACKGROUND\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 added\ninformation security requirements for Medicare fiscal intermediaries and carriers to section\n1874A of the Social Security Act (the Act) (42 U.S.C. \xc2\xa7 1395kk-1). These contractors process\nand pay Medicare fee-for-service claims. Pursuant to section 1874A(e) of the Act, each\nMedicare contractor must have its information security program evaluated annually by an\nindependent entity. Section 1874A(e) requires that these evaluations address the eight major\nrequirements enumerated in the Federal Information Security Management Act (FISMA). (See\n44 U.S.C. \xc2\xa7 3544(b).) To comply with this provision, the Centers for Medicare & Medicaid\nServices (CMS) contracted with PricewaterhouseCoopers to evaluate information security\nprograms at the intermediaries and carriers using a set of agreed-upon procedures.\n\nSection 1874A(e) of the Act also requires an evaluation of the information security controls for a\nsubset of systems but does not specify the criteria for these evaluations. To satisfy these\nrequirements, CMS contracted with JANUS Associates, Inc., (JANUS) to perform technical\nassessments. Subsequently, CMS developed a vulnerability testing methodology for the\nassessments to test segments of the claims processing systems at Medicare data centers. Data\ncenters operate the computer systems that process and pay Medicare claims.\n\nSection 1874A(e) further requires the Inspector General, Department of Health and Human\nServices, to submit to Congress annual reports on the results of these evaluations, as well as their\nscope and sufficiency. This report fulfills that responsibility for fiscal year (FY) 2005.\n\nOBJECTIVES\n\nOur objectives were to (1) assess the scope and sufficiency of Medicare contractor information\nsecurity program evaluations and data center technical assessments and (2) report the results of\nthose evaluations and assessments.\n\nSUMMARY OF RESULTS\n\nAssessment of Scope and Sufficiency\n\nThe scope and sufficiency of the contractor information security program evaluations performed\nby PricewaterhouseCoopers adequately encompassed the eight FISMA requirements referenced\nin section 1874A(e)(1) of the Act.\n\nWhile CMS\xe2\x80\x99s contract with JANUS provided for the planning, development, and implementation\nof a comprehensive program to perform testing of security, we could not determine the scope or\nsufficiency of the work for the data center technical assessments because we could not determine\nthe extent of JANUS\xe2\x80\x99s work.\n\n\n\n\n                                                 i\n\x0cDuring our review of the data center technical assessments, CMS provided us with copies of a\ntask order and contract governing JANUS\xe2\x80\x99s work at the data centers. However, the\ndocumentation supplied by JANUS did not provide evidence of the testing procedures that were\nperformed at the data centers. During our assessment, we reviewed working papers to verify that\nreported results were reasonably supported. The working papers provided to document testing\nprocedures were not complete. For test plans provided, the working papers sometimes did not\nindicate whether JANUS had completed all test plan procedures. Also, cross-references to\nsupporting documentation were missing for many test procedures.\n\nResults of Evaluations and Assessments\n\nThe results of the contractor information security program evaluations and data center technical\nassessments are presented in terms of gaps, that is, the differences between FISMA or CMS core\nsecurity requirements and the contractors\xe2\x80\x99 implementation of those requirements.\n\nResults of Contractor Information Security Program Evaluations\n\nIn 32 evaluation reports, which covered all 32 Medicare fiscal intermediaries and carriers,\nPricewaterhouseCoopers identified a total of 92 gaps. The number of gaps per contractor ranged\nfrom 0 to 11 and averaged 3. The most gaps occurred in the following FISMA control areas:\n\n   \xe2\x80\xa2   testing of information security controls (21 gaps at 14 contractors),\n   \xe2\x80\xa2   continuity-of-operations planning (21 gaps at 12 contractors),\n   \xe2\x80\xa2   security programs and system security plans (16 gaps at 14 contractors),\n   \xe2\x80\xa2   security awareness training (10 gaps at 7 contractors), and\n   \xe2\x80\xa2   policies and procedures to reduce risk (9 gaps at 7 contractors).\n\nFor some of the FISMA control areas, we noted observations that resulted in the reporting of\nduplicate gaps at contractor sites. In the 32 evaluations, there were 22 gaps that affected more\nthan one control area at a contractor site. Even though these gaps corresponded to multiple\ncontrol areas, they were only counted once. These gaps were not included in the gap count\nabove for the Medicare contractors.\n\nOverall, the number of gaps reported in FY 2005 evaluation reports was significantly lower than\nin FY 2004. In FY 2005, 92 gaps were reported in comparison to the 217 gaps reported in\nFY 2004. Additionally, in FY 2005, nine contractors were reported as having no gaps and only\ntwo contractors had more than seven gaps. In FY 2004, only three contractors were reported as\nhaving no gaps and two contractors had more than 16 gaps. No contractors in FY 2005 had more\nthan 11 gaps.\n\nResults of Data Center Technical Assessments\n\nThe 14 individual Medicare data center technical assessment reports prepared by JANUS\nidentified a total of 23 gaps for all 14 data centers. The number of gaps reported per data center\nranged from zero to five and averaged two. The security gaps occurred in the following security\ncontrol categories:\n\n\n                                                ii\n\x0c       \xe2\x80\xa2   configuration management (seven gaps at five data centers);\n       \xe2\x80\xa2   contingency planning (three gaps at two data centers);\n       \xe2\x80\xa2   system and information integrity (three gaps at three data centers);\n       \xe2\x80\xa2   access control (two gaps at one data center);\n       \xe2\x80\xa2   incident response (two gaps at one data center);\n       \xe2\x80\xa2   media protection (two gaps at two data centers);\n       \xe2\x80\xa2   security planning (two gaps at two data centers);\n       \xe2\x80\xa2   audit and accountability (one gap at one data center); and\n       \xe2\x80\xa2   certification, accreditation, and security assessments (one gap at one data center).\n\nAdditionally, JANUS identified 16 gaps that were resolved and closed within an approximate\n1- to 2-month timeframe. These gaps were not included in the above gap count.\n\nWe did not perform a detailed comparison of the number of gaps identified within each security\ncontrol category for the 2 FYs because of significant changes in the scope and assessment\ncategories reviewed by JANUS in FY 2005. The FY 2004 review was more technical and\nincluded extensive hands-on testing. Many more gaps were found in FY 2004.\n\nRECOMMENDATION\n\nWe recommend that CMS review contractor documentation related to future data center\ntechnical assessments and ensure that contractor documentation complies with CMS contractual\nrequirements. At a minimum, this should include a review of test plans to ensure that appointed\ncontractors have specified the testing procedures to be performed and a review of contractor\nworking papers to verify that reported weaknesses have been adequately supported, identified,\nand included in the technical assessment reports.\n\nCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\nAND OFFICE OF INSPECTOR GENERAL RESPONSE\n\nIn written comments to our draft report, CMS concurred with our recommendation. CMS also\nprovided clarifying information on technical issues. We have included CMS\xe2\x80\x99s comments in\nAppendix D.\n\nWe modified our report where appropriate to respond to CMS\xe2\x80\x99s technical comments. CMS\nactions planned or taken should improve the effectiveness of information security controls\nmaintained by contractors that determine and make Medicare claims payments.\n\n\n\n\n                                                iii\n\x0c                                                  TABLE OF CONTENTS\n\n                                                                                                                              Page\n\nINTRODUCTION..................................................................................................................1\n\n          BACKGROUND .........................................................................................................1\n              The Medicare Program ......................................................................................1\n              Medicare Prescription Drug, Improvement, and Modernization Act ................1\n              Evaluation Process for Fiscal Year 2005 ...........................................................2\n\n          OBJECTIVES, SCOPE, AND METHODOLOGY.....................................................2\n              Objectives ..........................................................................................................2\n              Scope..................................................................................................................2\n              Methodology ......................................................................................................3\n\nRESULTS OF REVIEW .......................................................................................................3\n\n          ASSESSMENT OF SCOPE AND SUFFICIENCY ....................................................3\n\n          RESULTS OF CONTRACTOR INFORMATION SECURITY PROGRAM\n           EVALUATIONS ......................................................................................................4\n              Testing of Information Security Controls ..........................................................5\n              Continuity-of-Operations Planning....................................................................6\n              Security Programs and System Security Plans ..................................................7\n              Security Awareness Training.............................................................................7\n              Policies and Procedures To Reduce Risk...........................................................8\n\n          RESULTS OF DATA CENTER TECHNICAL ASSESSMENTS .............................9\n              Configuration Management .............................................................................10\n              Contingency Planning......................................................................................11\n              System and Information Integrity ....................................................................12\n              Access Control .................................................................................................12\n              Incident Response ............................................................................................12\n              Media Protection..............................................................................................12\n              Security Planning .............................................................................................13\n\n          CONCLUSION..........................................................................................................13\n\n          RECOMMENDATION .............................................................................................13\n\n          CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n           AND OFFICE OF INSPECTOR GENERAL RESPONSE....................................14\n\n\n\n\n                                                                    iv\n\x0cAPPENDIXES\n\n   A \xe2\x80\x93 LIST OF GAPS BY FEDERAL INFORMATION SECURITY MANAGEMENT\n        ACT CONTROL AREA AND CONTRACTOR\n\n   B \xe2\x80\x93 RESULTS OF EVALUATIONS FOR CONTROL AREAS WITH THE GREATEST\n        NUMBER OF GAPS\n\n   C \xe2\x80\x93 LIST OF GAPS BY SECURITY CONTROL AREA AND DATA CENTER\n\n   D \xe2\x80\x93 CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\n\n\n\n                                v\n\x0c                                             INTRODUCTION\n\nBACKGROUND\n\nThe Medicare Program\n\nMedicare is a health insurance program for people age 65 or older, people under age 65 with\ncertain disabilities, and people of all ages with end-stage renal disease. In fiscal year (FY) 2005,\nMedicare paid more than $332 billion on behalf of nearly 42 million program beneficiaries.\n\nThe Centers for Medicare & Medicaid Services (CMS) administers the Medicare program. CMS\ncontracts with fiscal intermediaries and carriers to administer Medicare benefits paid on a fee-\nfor-service basis. Many intermediaries and carriers operate data centers to process and pay\nMedicare claims, while others subcontract with data centers for this purpose.\n\nIn FY 2005, 32 distinct corporate entities served as fiscal intermediaries, carriers, or both. Ten\nof these entities also operated 10 of the 14 Medicare data centers, and 4 additional entities\noperated the remaining 4 data centers. Thus, a total of 36 entities processed and paid Medicare\nfee-for-service claims.\n\nMedicare Prescription Drug, Improvement, and Modernization Act\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) added\ninformation security requirements for intermediaries and carriers 1 to section 1874A of the Social\nSecurity Act (the Act). (See 42 U.S.C. \xc2\xa7 1395kk-1.) Pursuant to section 1874A(e)(1) of the Act,\neach intermediary and carrier must have its information security program evaluated annually by\nan independent entity. This section requires that these evaluations address the eight major\nrequirements enumerated in the Federal Information Security Management Act (FISMA). (See\n44 U.S.C. \xc2\xa7 3544(b).) These requirements, referred to as \xe2\x80\x9cFISMA control areas\xe2\x80\x9d in this report,\nare:\n\n        1. periodic risk assessments,\n        2. policies and procedures to reduce risk,\n        3. security programs and system security plans,\n        4. security awareness training,\n        5. testing of information security controls,\n        6. remedial actions to address deficiencies,\n        7. incident response, and\n        8. continuity-of-operations planning.\n\nSection 1874A(e)(2)(A)(ii) requires that the effectiveness of information security controls be\ntested for an appropriate subset of Medicare contractors\xe2\x80\x99 information systems. However, this\n\n1\n The MMA contracting reform provisions added to section 1874A of the Act replace existing fiscal intermediaries\nand carriers with Medicare Administrative Contractors, who are to be competitively selected. Until such time as the\nnew Medicare Administrative Contractors are in place, the requirements of section 1874A apply to fiscal\nintermediaries and carriers.\n\n\n                                                         1\n\x0csection does not specify the criteria for evaluating these security controls. CMS and its\ninformation security consultant, JANUS Associates, Inc., (JANUS), developed a vulnerability\ntesting methodology to comply with this provision.\n\nAdditionally, section 1874A(e)(2)(C)(ii) requires the Inspector General of the Department of\nHealth and Human Services to submit to Congress annual reports on the results of such\nevaluations, including assessments of their scope and sufficiency. This report fulfills that\nresponsibility for FY 2005.\n\nEvaluation Process for Fiscal Year 2005\n\nCMS developed agreed-upon procedures for the program evaluation based on the requirements\nof Section 1874A(e)(1), FISMA, information security policy and guidance from the Office of\nManagement and Budget and the National Institute of Standards and Technology (NIST), and the\nGovernment Accountability Office\xe2\x80\x99s (GAO) \xe2\x80\x9cFederal Information Systems Controls Audit\nManual\xe2\x80\x9d (FISCAM). The independent auditors, PricewaterhouseCoopers (PWC), under contract\nwith CMS used the agreed-upon procedures to evaluate the information security programs at the\n32 fiscal intermediaries and carriers. The agreed-upon procedures are the same as those used in\nFY 2004, with the exception of having more explicit criteria for change management. PWC\nperformed evaluations and issued reports for the 32 fiscal intermediaries and carriers.\n\nTo comply with the section 1874A(e)(2)(A)(ii) requirement to test the effectiveness of\ninformation security controls for an appropriate subset of contractors\xe2\x80\x99 information systems, CMS\ncontracted with JANUS to plan, develop, and implement a comprehensive program to perform\ntesting of security.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\nOur objectives were to (1) assess the scope and sufficiency of Medicare contractor information\nsecurity program evaluations and data center technical assessments and (2) report the results of\nthose evaluations and assessments.\n\nScope\n\nWe evaluated the FY 2005 results of independent evaluations and technical assessments of\nMedicare contractors\xe2\x80\x99 information security programs. We performed our reviews of PWC and\nJANUS working papers at CMS headquarters in Baltimore, Maryland, and at Office of Inspector\nGeneral regional office sites.\n\n\n\n\n                                                2\n\x0cMethodology\n\nTo accomplish our objectives, we performed the following steps:\n\n       \xe2\x80\xa2   To assess the scope of the evaluations of contractor information security programs,\n           we determined whether the agreed-upon procedures included the eight FISMA\n           control requirements.\n\n       \xe2\x80\xa2   To assess the scope of the data center technical assessments, we compared the scope\n           of work with NIST and GAO standards and guidelines. We also contacted CMS to\n           request the contract or task order between CMS and JANUS to verify that JANUS\n           performed the work CMS had specified.\n\n       \xe2\x80\xa2   To assess the sufficiency of the evaluations of contractor information security\n           programs, we reviewed PWC working papers supporting the evaluation reports to\n           determine whether auditors conducted the agreed-upon procedures listed in the\n           reports. We also determined whether auditors conducted the evaluations in\n           accordance with attestation engagement standards established by the American\n           Institute of Certified Public Accountants and in accordance with Government\n           Auditing Standards, and we compared the scope of work with applicable NIST\n           standards. In addition, we determined whether the evaluation reports encompassed\n           the eight FISMA control areas enumerated in Section 1874A(e)(1) of the Act.\n\n       \xe2\x80\xa2   Because section 1874A(e)(2)(ii) does not include criteria for assessing the sufficiency\n           of the data center technical assessments, we reviewed working papers supporting the\n           assessments to verify that reported results were reasonably supported.\n\n       \xe2\x80\xa2   To report on the results of the evaluations and technical assessments, we aggregated\n           the results contained in the individual contractor evaluation reports and data center\n           technical assessment reports.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\n                                   RESULTS OF REVIEW\n\nASSESSMENT OF SCOPE AND SUFFICIENCY\n\nThe scope and sufficiency of the contractor information security program evaluations performed\nby PWC adequately encompassed the eight FISMA requirements referenced in section\n1874A(e)(1) of the Act.\n\n\n\n\n                                                3\n\x0cWhile CMS\xe2\x80\x99s contract with JANUS provided for the planning, development, and implementation\nof a comprehensive program to perform testing of security, we could not determine the scope and\nsufficiency of the work performed for the data center technical assessments because we could not\ndetermine the extent of JANUS\xe2\x80\x99s work.\n\nDuring our review of the data center technical assessments, CMS provided us with copies of a\ntask order and a contract governing JANUS\xe2\x80\x99s work at the data centers. However, the\ndocumentation supplied by JANUS did not provide evidence of the testing procedures that were\nperformed at the data centers. We determined that the working papers lacked test plans of work\nperformed. In cases in which test plans were provided, initials of the testing officials, indicating\ncompletion of the testing, were not provided for all listed procedures. Also, cross-references to\nsupporting documentation were missing for many test procedures.\n\nRESULTS OF CONTRACTOR INFORMATION SECURITY PROGRAM\nEVALUATIONS\n\nWe present the results of the contractor information security program evaluations in terms of\ngaps, that is, the differences between FISMA or CMS core security requirements and the\ncontractors\xe2\x80\x99 implementation of those requirements.\n\nThe 32 evaluation reports identified a total of 92 gaps. The average number of gaps per\ncontractor was three. As shown in Table 1, the number of gaps per contractor ranged from 0 to\n11.\n\n                         Table 1: Range of Medicare Contractor Gaps\n\n                                       No. of       No. of\n                                       Gaps       Contractors\n                                          0           9\n                                          1           7\n                                       2 to 5         8\n                                       6 to 7         6\n                                          8           1\n                                         11           1\n\nThe number of gaps reported in FY 2005 evaluation reports was significantly lower than in\nFY 2004.\n\nTable 2 summarizes the gaps found in each FISMA control area. At some contractor sites,\nduplicate gaps were reported among these areas. In the 32 evaluations, there were 22 gaps that\naffected more than one control area at a contractor site. Even though these gaps corresponded to\nmultiple control areas, they were only counted once. Appendix A shows the number of gaps at\neach contractor by FISMA control area.\n\n\n\n\n                                                 4\n\x0c      Table 2: Gaps by Federal Information Security Management Act Control Area\n\n                                        Impact Level                            No. of Contractors\n                                         of FISMA             No. of Gaps       With One or More\n                 FISMA                  Control Area           Identified             Gap(s)\n              Control Area              Subcategories     FY 2004    FY 2005   FY 2004     FY 2005\n    Testing of information security\n                                        High/Medium         18         21         12         14\n      controls\n    Continuity-of-operations planning   High                57         21         21         12\n    Security programs and system\n                                        High/Medium         46         16         21         14\n      security plans\n    Security awareness training         High/Medium         25         10         16          7\n    Policies and procedures to reduce\n                                        High/Medium         27          9         21          7\n      risk\n    Periodic risk assessments           High/Medium         11          6         10          5\n    Incident response                   High                25          6         15          5\n    Remedial actions                    Medium               8          3          7          2\n     Total                                                 217         92\n\nThe number of gaps and the number of contractors with gaps reported for FY 2005 was\nsignificantly lower than in FY 2004 for seven of the eight FISMA control areas. The FY 2005\nreport shows that only one FISMA control area, testing of information security controls, slightly\nincreased in both categories from the numbers reported in FY 2004.\n\nThe Medicare contractor information security program evaluations assessed several\nsubcategories within each FISMA control area. The \xe2\x80\x9cimpact level\xe2\x80\x9d shown in Table 2 refers to\nthe possible level of adverse impact that could result from successful exploitation of\nvulnerabilities in any of the FISMA control areas by subcategory depending on the\norganization\xe2\x80\x99s mission and criticality and the sensitivity of the systems and data involved. CMS\nand independent auditors developed ratings of high, medium, or low impact to assign to the\nsubcategories of the FISMA control areas. The actual ratings assigned to the subcategories were\nall high or medium impact and reflect PWC\xe2\x80\x99s assessment. It is important to note that the impact\nlevels were assigned to subcategories of the FISMA control areas, not to individual gaps\nidentified within the control areas or subcategories. Individual gaps were not assigned an impact\nor risk level. As stated in NIST Special Publication (SP) 800-42, \xe2\x80\x9cGuideline on Network\nSecurity Testing,\xe2\x80\x9d it is difficult to identify the risk level of individual vulnerabilities because\nthey rarely exist in isolation.\n\nThe following sections discuss the five FISMA control areas containing the most gaps. (See\nAppendix B for more detailed information by subcategory.)\n\nTesting of Information Security Controls\n\nAccording to the NIST SP 800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information\nSystems,\xe2\x80\x9d the effectiveness of information security policies, procedures, practices, and controls\nshould be tested and evaluated at least annually (or more often depending on risk). The NIST\n\n\n\n                                                      5\n\x0cSP 800-42 notes that security testing provides insight into other system development life-cycle\nactivities, such as risk analysis and contingency planning.\n\nOf the 32 Medicare contractors, 18 had no identified gaps in the testing of information security\ncontrols, and the remaining 14 had one to two gaps each. In total, 21 gaps were identified in this\narea. Of these 21 gaps, 18 were assigned to high-impact subcategories.\n\nFollowing are examples of these gaps:\n\n   \xe2\x80\xa2   Reviews and audits of information technology (IT) security controls, including logical\n       and physical controls, platform configuration standards, and patch management controls,\n       were not completed to ensure compliance with FISMA guidance.\n\n   \xe2\x80\xa2   Identified weaknesses within the organization were not all clearly tracked, monitored, or\n       corrected.\n\n   \xe2\x80\xa2   Change management policies and procedures did not exist.\n\nWithout a comprehensive program for periodically testing and monitoring of information\nsecurity controls, management has no assurance that appropriate safeguards are in place to\nadequately mitigate identified risks.\n\nContinuity-of-Operations Planning\n\nAccording to the NIST SP 800-34, \xe2\x80\x9cContingency Planning Guide for Information Technology\nSystems,\xe2\x80\x9d contingency planning represents a broad scope of activities designed to sustain and\nrecover critical information technology services following an emergency. The planning guide\nprovides that ensuring continuity of operations goes beyond contingency planning to include\nphysical security and environmental controls, which are crucial in preventing outages of service.\n\nOf the 32 Medicare contractors, 20 had no identified gaps in continuity-of-operations planning,\nand the remaining 12 had one to four gaps each. In total, 21 gaps were identified in this area,\nwhich were all assigned to high-impact subcategories.\n\nFollowing are examples of physical and environmental security gaps that could affect continuity\nof operations:\n\n   \xe2\x80\xa2   Employee access to restricted areas was not monitored.\n\n   \xe2\x80\xa2   A sprinkler system was not installed where information technology resources were\n       located.\n\n   \xe2\x80\xa2   The walls of the data center did not extend to the ceiling.\n\n   \xe2\x80\xa2   Equipment facilitating communication to the servers was located in an unsecured area.\n\n\n\n                                                 6\n\x0cAnother frequently occurring deficiency was inadequate review and testing of contingency plans.\nThe purpose of testing these plans is to identify planning gaps to improve plan effectiveness and\noverall agency preparedness.\n\nThe NIST SP 800-34 notes that if contingency planning activities are inadequate, even relatively\nminor interruptions of service can result in lost or incorrectly processed data, which can cause\nfinancial losses, expensive recovery efforts, and inaccurate or incomplete financial or\nmanagement information.\n\nSecurity Programs and System Security Plans\n\nThe NIST SP 800-18, \xe2\x80\x9cGuide for Developing Security Plans for Information Technology\nSystems,\xe2\x80\x9d states that the purpose of the system security plan is to provide an overview of a\nsystem\xe2\x80\x99s security requirements and to describe the controls in place or planned for meeting those\nrequirements. The system security plan documents the structured process of planning adequate,\ncost-effective security protection for a system. The plan must include sections on personnel\nsecurity controls and security awareness and training requirements. The system security plan\nand the staff who prepare the plan form the backbone of an organization\xe2\x80\x99s information security\nprogram.\n\nOf the 32 Medicare contractors, 18 had no identified gaps in security programs and system\nsecurity plans, and the remaining 14 had one to three gaps each. In total, 16 gaps were identified\nin this area. Nine of these sixteen gaps were assigned to high-impact subcategories.\n\nFollowing are examples of gaps in security programs and system security plans:\n\n   \xe2\x80\xa2   Assessments of the appropriateness and tests of the compliance with security policies and\n       procedures were not documented.\n\n   \xe2\x80\xa2   Background investigations were not conducted for all employees.\n\n   \xe2\x80\xa2   Employee training policies and procedures were not enforced or monitored.\n\n   \xe2\x80\xa2   Procedures for termination and transfer of employees did not address security.\n\nIf complete, up-to-date, documented system security requirements are not implemented and\nenforced within security programs, management has no assurance that established system\nsecurity controls will be effective in protecting their most valuable assets, such as information,\nhardware, software, systems, and related technology assets that support the organization\xe2\x80\x99s critical\nmissions.\n\nSecurity Awareness Training\n\nThe Computer Security Act of 1987 (P.L. 100-235) requires periodic training in computer\nsecurity awareness and accepted computer practices for all employees who manage, use, or\n\n\n\n                                                7\n\x0coperate Federal computer systems. Additionally, Federal regulations (5 C.F.R. \xc2\xa7 930.301(a))\nrequire that role-specific training be provided based on each user\xe2\x80\x99s security responsibilities.\n\nOf the 32 Medicare contractors, 25 had no identified gaps in security awareness training, and the\nremaining 7 had one to two gaps each. In total, 10 gaps were identified in this area. Three of\nthese ten gaps were assigned to high-impact subcategories.\n\nFollowing are examples of security awareness training gaps:\n\n   \xe2\x80\xa2   Mandatory annual refresher training on security was not provided.\n\n   \xe2\x80\xa2   Documentation did not exist that all employees had received and accepted the rules of\n       behavior requirements for their jobs.\n\n   \xe2\x80\xa2   Employee training and professional development regarding security were not consistently\n       documented and monitored.\n\n   \xe2\x80\xa2   Security professionals were not provided specific security training for their job\n       responsibilities.\n\nEmployees who are unaware of their security responsibilities and/or have not received adequate\ntraining may be at increased risk of causing or exacerbating a computer security incident. If\nsecurity personnel are not provided specific job-related training, management has no assurance\nthat these employees can effectively perform their job responsibilities. Inadequately trained\nemployees could cause the loss, destruction, or misuse of sensitive Federal data assets.\n\nPolicies and Procedures To Reduce Risk\n\nAccording to the NIST SP 800-30, \xe2\x80\x9cRisk Management Guide for Information Technology\nSystems,\xe2\x80\x9d risk management is the process of identifying and assessing risk and taking steps to\nreduce risk to an acceptable level.\n\nOf the 32 Medicare contractors, 25 had no identified gaps in policies and procedures to reduce\nrisk, and the remaining 7 had one to two gaps each. In total, nine gaps were identified in this\narea. Four of these nine gaps were assigned to high-impact subcategories. Following are\nexamples of gaps in policies and procedures to reduce risk:\n\n   \xe2\x80\xa2   Security policies and procedures did not address security configurations or patch\n       management.\n\n   \xe2\x80\xa2   Periodic review of system/network boundaries was incomplete because of limited\n       penetration testing.\n\n   \xe2\x80\xa2   IT security risk assessment was not sufficiently documented.\n\n\n\n\n                                                 8\n\x0cIneffective policies and procedures to reduce risk could jeopardize an organization\xe2\x80\x99s ability to\nperform its mission, as well as its IT assets.\n\nRESULTS OF DATA CENTER TECHNICAL ASSESSMENTS\n\nWe present the results of the data center technical assessments in terms of gaps, that is, the\ndifferences between FISMA or CMS core security requirements and the contractors\xe2\x80\x99\nimplementation of those requirements.\n\nThe 14 individual Medicare data center technical assessment reports identified a total of 23 gaps\nfor the 14 data centers. The average number of gaps per data center was 2. As shown in Table 3,\nthe number of gaps per data center ranged from 0 to 5.\n\n                              Table 3: Range of Data Center Gaps\n\n                               No. of Gaps           No. of Data Centers\n                                    0                         5\n                                    1                         3\n                                    2                         1\n                                    3                         3\n                                    4                         1\n                                    5                         1\n\nCMS contracted with JANUS to evaluate six security control areas. The security control areas\nwere: security planning, contingency planning, configuration management, system and\ninformation integrity, audit and accountability, and risk assessment. During the course of the\nreview, JANUS expanded these 6 categories to 12 categories. However, this report does not\ndiscuss two of these additional areas (personnel security and system services and acquisition)\nbecause no open gaps existed in these areas among the data centers and they were not part of the\ncontract requirements.\n\nThe number of gaps reported in FY 2005 was significantly lower than in FY 2004. However, we\ndid not perform a detailed comparison of the number of gaps identified within each security\ncontrol category for the 2 FYs because of the significant changes in the scope and assessment\ncategories reviewed by JANUS in FY 2005. The FY 2004 review was more technical and\nincluded extensive hands-on testing, such as penetration testing.\n\nJANUS assigned each of the gaps to 1 of 10 security control areas. Unlike the information\nsecurity evaluations, for the data center assessments, JANUS categorized the risks associated\nwith the individual gaps as high, medium, or low based on the potential impact and likelihood of\nexploitation. Table 4 presents the aggregate results reported for the 14 data centers, including\nthe number of data centers with high-risk gaps. Appendix C shows the number of gaps at each\ndata center by security control area.\n\n\n\n\n                                                 9\n\x0c                      Table 4: Data Center Gaps by Security Control Area\n\n                                          No. of      No. of Data     No. of Data        No. of Data\n                           Total No.      Data         Centers       Centers With         Centers\n    Security Control        of Gaps      Centers      With High-       Medium-           With Low-\n           Area            Identified    Affected     Risk Gaps       Risk Gaps          Risk Gaps\n Configuration\n                               7             5             0                4                2\n management\n Contingency planning          3             2             1                0                1\n System and information\n                               3             3             0                1                2\n integrity\n Access control                2             1             0                0                1\n Incident response             2             1             0                1                0\n Media protection              2             2             0                0                2\n Security planning             2             2             0                0                2\n Audit and\n                               1             1             0                1                0\n accountability\n Certification,\n accreditation, and            1             1             0                1                0\n security assessments\n Risk assessment               0             0             0                0                0\n   Total                      23\n\nIn the technical assessment reports, JANUS identified 2 gaps under security control areas\nassessed as high risk and 10 gaps under security control areas assessed as medium risk. At 1 of\nthe 14 data centers, JANUS identified two high-risk gaps in the contingency planning control\narea. At six of the data centers, JANUS identified medium-risk gaps in at least one of the\nfollowing categories: configuration management; system and information integrity; incident\nresponse; audit and accountability; and certification, accreditation, and security assessments.\n\nAdditionally, there were 16 gaps identified that were resolved and closed within approximately\n1 to 2 months of discovery. These gaps were not included in the above gap count.\n\nThe following sections discuss the seven security control areas containing the most gaps. We do\nnot discuss the three security control areas with the fewest gaps (audit and accountability;\ncertification, accreditation, and security assessments; and risk assessment) in this report.\n\nConfiguration Management\n\nMultiple gaps were identified at 5 of the 14 data centers in the area of configuration\nmanagement. Examples are listed below:\n\n   1. Lack of configuration management policies and baseline configurations.\n\n       GAO\xe2\x80\x99s FISCAM indicates that without proper configuration management, security\n       features could accidentally or intentionally be \xe2\x80\x9cturned off.\xe2\x80\x9d In addition, processing\n\n\n                                                 10\n\x0c       irregularities or malicious code could be introduced that might allow access to sensitive\n       data or remote control of a system. The NIST SP 800-70, \xe2\x80\x9cSecurity Configuration\n       Checklists Program for IT Products,\xe2\x80\x9d identifies the use of baseline configurations as a\n       way to provide a consistent approach to systems security and help protect against\n       \xe2\x80\x9ccommon and dangerous local and remote threats\xe2\x80\x9d (section 2.2).\n\n       Of the 14 data centers, 1 did not have a configuration management policy and 2 lacked\n       baseline configurations. Of those lacking baseline configurations, one data center did not\n       have baseline configurations for its networking equipment. Similarly, another data center\n       did not use security checklists to configure its information system products to a specific\n       baseline.\n\n   2. Use of live data in a test environment.\n\n       GAO\xe2\x80\x99S FISCAM states that live data should not be used in testing. The test environment\n       should remain isolated from the live data. The use of live data for testing can severely\n       compromise the data\xe2\x80\x99s confidentiality. Of the 14 data centers, 2 were using live data in a\n       test environment.\n\n   3. Failure to test security controls after changes were performed.\n\n       The NIST SP 800-53 recommends testing controls and conducting a security impact\n       analysis after performing changes. Of the 14 data centers, 1 did not test security controls\n       after performing changes, making it difficult to ensure that system security was still\n       functioning properly.\n\n   4. Lack of software to monitor changes.\n\n       According to GAO\xe2\x80\x99s FISCAM, library management software provides an automated\n       means of inventorying software, ensuring that differing versions are not accidentally\n       misidentified, and maintaining a record of software changes. Library management\n       software should be used to automatically produce audit trails of program changes,\n       maintain program version numbers, record and report program changes, maintain creation\n       date information for production modules, maintain copies of previous versions, and\n       control concurrent updates.\n\n       Of the 14 data centers, 1 did not use library management software to monitor changes.\n       That data center was not able to automatically produce audit trails of changes to software\n       configurations.\n\nContingency Planning\n\nAccording to the NIST SP 800-34, without complete and up-to-date contingency plans, the data\ncenters cannot be assured that their systems can be quickly and effectively recovered after\ndisasters or disruptions in service.\n\n\n\n\n                                                11\n\x0cOf the 14 data centers, 2 had control gaps in the area of contingency planning. Examples\nincluded insufficient allocation of time to perform disaster recovery exercises and out-of-date\ncontingency plans that failed to address changes made in operating systems.\n\nSystem and Information Integrity\n\nThe NIST SP 800-53 indicates that the use of tools, such as an intrusion detection system, helps\nto prevent attacks on systems and detect their unauthorized use.\n\nOf the 14 data centers, 3 had gaps in system and information integrity. These gaps were due to a\nlack of intrusion detection systems. The presence of such gaps makes it more difficult to protect\nsystem and information integrity.\n\nAccess Control\n\nAccording to GAO\xe2\x80\x99s FISCAM, inadequate access controls diminish the reliability of\ncomputerized data and increase the risk of destruction or inappropriate disclosure of data.\nAssociated gaps in the configuration of systems software that control access to systems can make\ncomputers vulnerable to unauthorized access.\n\nOf the 14 data centers, 1 had gaps in access control. Examples included the use of an identical\nidentification for both administrative and routine tasks, as well as documented password controls\nthat were inconsistent with implemented controls. These control gaps created vulnerabilities in\nthe confidentiality and integrity of Medicare data and systems.\n\nIncident Response\n\nThe NIST SP 800-61 \xe2\x80\x9cComputer Security Incident Handling Guide,\xe2\x80\x9d emphasizes that members\nof an incident response team require a broad knowledge of IT and an understanding of how to\nuse computer forensic tools and software. This guidance also notes that unless forensic evidence\nis preserved, it will not be available for future legal proceedings.\n\nOf the 14 data centers, 1 had not provided incidence response training and lacked policies and\nprocedures for the preservation of forensic evidence. The presence of these gaps created\nvulnerabilities in incident response.\n\nMedia Protection\n\nAccording to GAO\xe2\x80\x99s FISCAM, media containing sensitive information that is not sanitized may\nbe recovered and the information inappropriately used or disclosed by individuals who have\naccess to the discarded or transferred media. The unauthorized access to personally identifiable\ninformation contained in the Medicare databases could result in a serious adverse effect, with\nwidespread impact on individual privacy being of specific concern.\n\n\n\n\n                                                12\n\x0cOf the 14 data centers, 2 had gaps in media protection. Both of these data centers had control\ngaps involving a failure to sanitize storage media. These control gaps indicate vulnerabilities\nthat could lead to the disclosure of sensitive Medicare information.\n\nSecurity Planning\n\nAccording to GAO\xe2\x80\x99s FISCAM, to implement an effective security plan, top management should\nadjust security plans in accordance with changing risk factors because policies and procedures\nmay become inadequate after changes in operations.\n\nAlso, the NIST SP 800-53 requires that data centers upgrade their security plans after the\ninstallation of a new operating system. After such a change, the data center should update its\nrisk assessment, determine what additional security controls and/or control enhancements may be\nnecessary to address the vulnerabilities of the new system, and update its security plan\naccordingly.\n\nOf the 14 data centers, 2 had gaps in security planning. Gaps at both data centers were due to\noutdated system security plans. One of these two data centers did not upgrade its system security\nplan even after the installation of a new operating system. These control gaps create\nvulnerabilities in security planning that could negatively impact overall planning for business\ncontinuity.\n\nCONCLUSION\n\nThe work performed by PWC to evaluate contractor information security programs adequately\nencompassed the eight FISMA requirements referenced in section 1874A. Gaps reported during\nthe PWC program evaluations were supported by documented evidence.\n\nHowever, we could not determine the scope or sufficiency of the work performed by JANUS\nduring the data center technical assessments. The documentation supplied by JANUS did not\nprovide evidence of the testing procedures performed at the data centers. Because of the lack of\ntest plans, missing cross-references to supporting documentation, and incomplete working\npapers, we could not determine the extent of JANUS\xe2\x80\x99s work.\n\nRECOMMENDATION\n\nWe recommend that CMS review contractor documentation related to future data center\ntechnical assessments and ensure that contractor documentation complies with CMS contractual\nrequirements. At a minimum, this should include a review of test plans to ensure that appointed\ncontractors have specified the testing procedures to be performed and a review of contractor\nworking papers to verify that reported weaknesses have been adequately supported, identified,\nand included in the technical assessment reports.\n\n\n\n\n                                                13\n\x0cCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\nAND OFFICE OF INSPECTOR GENERAL RESPONSE\n\nIn written comments to our draft report, CMS concurred with our recommendation. CMS also\nprovided clarifying information on technical issues. We have included CMS\xe2\x80\x99s comments in\nAppendix D.\n\nWe modified our report where appropriate to respond to CMS\xe2\x80\x99s technical comments. CMS\nactions planned or taken should improve the effectiveness of information security controls\nmaintained by contractors that determine and make Medicare claims payments.\n\n\n\n\n                                              14\n\x0cAPPENDIXES\n\x0c                                                                                           APPENDIX A\n\n\n                                   LIST OF GAPS BY\n             FEDERAL INFORMATION SECURITY MANAGEMENT ACT CONTROL AREA\n                                  AND CONTRACTOR\n\n                                                      Control Area\n                             Policies     Security\n                               and       Programs\n               Periodic     Procedures      and       Security   Testing                          Continuity\nMedicare         Risk       To Reduce     Security   Awareness      of      Remedial   Incident      of\nContractor    Assessments      Risk        Plans      Training   Controls    Actions   Response   Operations   Total\n    1              0            0            0           0          0           0         0           0          0\n    2              0            0            1           0          0           0         0           0          1\n    3              0            0            0           0          0           0         0           0          0\n    4              0            0            0           0          0           0         0           0          0\n    5              2            1            1           0          0           0         0           1          5\n    6              0            0            0           0          0           0         0           0          0\n    7              0            0            0           0          0           0         0           0          0\n    8              0            2            1           2          2           1         0           3         11\n    9              0            0            0           0          0           0         0           0          0\n   10              0            0            0           0          0           0         0           1          1\n   11              0            0            1           0          0           0         0           0          1\n   12              0            0            0           1          0           0         0           1          2\n   13              0            1            1           0          2           0         0           2          6\n   14              0            0            0           0          0           0         0           0          0\n   15              0            1            0           1          1           0         0           1          4\n   16              0            1            0           0          0           0         0           0          1\n   17              0            0            0           0          2           0         1           0          3\n   18              0            0            0           0          0           0         0           0          0\n   19              0            0            0           0          0           0         0           0          0\n   20              1            0            1           0          2           0         1           1          6\n   21              1            0            0           0          0           0         1           0          2\n   22              1            0            1           2          1           0         0           2          7\n   23              1            0            1           2          1           0         0           2          7\n   24              0            0            1           0          1           0         0           0          2\n   25              0            0            0           0          1           0         0           0          1\n   26              0            0            1           0          0           0         0           0          1\n   27              0            0            3           1          2           0         0           1          7\n   28              0            2            1           0          2           0         0           0          5\n   29              0            0            1           0          2           2         1           2          8\n   30              0            0            1           0          0           0         0           0          1\n   31              0            1            0           1          1           0         0           0          3\n   32              0            0            0           0          1           0         2           4          7\n  Total            6            9           16          10         21           3          6         21         92\n\x0c                                                                                     APPENDIX B\n                                                                                       Page 1 of 6\n\n\n              RESULTS OF EVALUATIONS FOR CONTROL AREAS WITH\n                       THE GREATEST NUMBER OF GAPS\n\nThe \xe2\x80\x9cimpact level\xe2\x80\x9d shown in Tables 1 through 5 on the following pages refers to the level of\nadverse impact that could result from successful exploitation of a vulnerability in any of the\nFederal Information Security Management Act (FISMA) control areas. It is important to note\nthat the impact levels were assigned to subcategories of the FISMA control areas, not to\nindividual gaps identified within the control areas or subcategories. Individual gaps were not\nassigned an impact or risk level. Impact can be described as high, medium, or low in light of the\norganization\xe2\x80\x99s mission and criticality and the sensitivity of the systems and data involved.\nIndependent auditors assigned a rating of high or medium impact to each of the subcategories in\nthe agreed-upon procedures developed by the Centers for Medicare & Medicaid Services (CMS).\n\nTESTING OF INFORMATION SECURITY CONTROLS\n\nThe Medicare contractor information security program evaluations assessed five subcategories\nrelated to the testing of information security controls. The evaluation reports identified a total of\n21 gaps in this FISMA control area. The five subcategories in Table 1 are listed based on their\norder of presentation in the National Institute of Standards and Technology (NIST) Special\nPublication (SP) 800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems,\xe2\x80\x9d a\nmajor source of criteria in this control area.\n\nThe columns \xe2\x80\x9cNo. of Gaps\xe2\x80\x9d and \xe2\x80\x9cNo. of Contractors Affected\xe2\x80\x9d are the same because the gaps are\ncounted by subcategory and there can be only one gap per subcategory for each contractor. The\ncolumn \xe2\x80\x9cNo. of Contractors Affected\xe2\x80\x9d represents a duplicated count.\n\x0c                                                                          APPENDIX B\n                                                                            Page 2 of 6\n\n        Table 1: Gaps Related to Testing of Information Security Controls\n\n                                                           No. of\n                                                No. of   Contractors   Subcategory\n                   Subcategory                  Gaps      Affected     Impact Level\n    Management reports exist for the review\n    and testing of information security\n    policies and procedures, including\n1   network risk assessments, accreditations      0          0            High\n    and certifications, internal and external\n    audits, security reviews, and penetration\n    and vulnerability assessments.\n    Annual reviews and audits are conducted\n    to ensure compliance with FISMA\n    guidance from the Office of Management\n    and Budget for reviews of security\n2                                                 6          6            High\n    controls, including logical and physical\n    security controls, platform configuration\n    standards, and patch management\n    controls.\n    Remedial action is being taken for issues\n3                                                 3          3           Medium\n    noted in audits.\n    Change control management procedures\n4                                                 2          2            High\n    exist.\n    Change control procedures are tested by\n5   management to ensure that they are in        10          10           High\n    use.\n     Total                                       21\n\x0c                                                                                   APPENDIX B\n                                                                                     Page 3 of 6\n\nCONTINUITY-OF-OPERATIONS PLANNING\n\nThe Medicare contractor information security program evaluations assessed 13 subcategories\nrelated to continuity-of-operations planning. The evaluation reports identified a total of 21 gaps\nin this FISMA control area. The 13 subcategories in Table 2 are listed based on their order of\npresentation in the NIST SP 800-34, \xe2\x80\x9cContingency Planning Guide for Information Technology\nSystems,\xe2\x80\x9d the source of criteria in this area.\n\n                      Table 2: Continuity-of-Operations Planning Gaps\n\n                                                        No.    No. of    Subcategory\n                                                         of  Contractors   Impact\n                          Subcategory                   Gaps  Affected      Level\n          Critical data and operations are formally\n      1                                                   1           1             High\n          identified and prioritized.\n          Hardware maintenance, problem\n          management, and change management\n      2                                                   4           4             High\n          procedures exist to help prevent\n          unexpected interruptions.\n          Data and program backup procedures\n      3                                                   2           2             High\n          have been implemented.\n          Policies and procedures for disposal of\n          data and equipment exist and include\n      4                                                   2           2             High\n          applicable Federal security and privacy\n          requirements.\n          Physical security controls exist to protect\n      5                                                   2           2             High\n          information technology resources.\n          Adequate environmental controls have\n      6                                                   2           2             High\n          been implemented.\n          Emergency processing priorities have\n      7                                                   0           0             High\n          been established.\n          Resources supporting critical operations\n      8                                                   0           0             High\n          are identified in contingency plans.\n          Arrangements have been made for\n      9   alternate data processing and                   1           1             High\n          telecommunications facilities.\n          An up-to-date contingency plan is\n     10                                                   1           1             High\n          documented.\n     11   The plan is periodically tested.                1           1             High\n          The results are analyzed and contingency\n     12                                                   4           4             High\n          plans adjusted accordingly.\n          Staff have been trained to respond to\n     13                                                   1           1             High\n          emergencies.\n           Total                                        21\n\x0c                                                                                  APPENDIX B\n                                                                                    Page 4 of 6\n\nSECURITY PROGRAMS AND SYSTEM SECURITY PLANS\n\nThe Medicare contractor information security program evaluations assessed 11 subcategories\nrelated to security programs and system security plans. The evaluation reports identified a total\nof 16 gaps in this FISMA control area. The 11 subcategories in Table 3 are listed based on their\norder of presentation in the NIST SP 800-18, \xe2\x80\x9cGuide for Developing Security Plans for\nInformation Technology Systems,\xe2\x80\x9d the source of criteria in this area.\n\n                 Table 3: Security Program and System Security Plan Gaps\n\n                                                       No.    No. of    Subcategory\n                                                        of  Contractors   Impact\n                        Subcategory                    Gaps  Affected      Level\n        A security management structure has\n      1                                                  0           0           Medium\n        been established.\n        Information security responsibilities are\n      2                                                  0           0           Medium\n        clearly assigned.\n        Security policies and procedures are\n        included in the policies and procedures\n      3 for control of the life cycle of systems,        0           0             High\n        including accreditations and\n        certifications.\n        Owners and users are aware of security\n      4                                                  1           1             High\n        policies.\n        A security plan is documented and\n      5                                                  0           0             High\n        approved.\n      6 The plan is kept current.                        1           1             High\n        Management has documented that it\n        periodically assesses the appropriateness\n      7 of security policies and compliance with         3           3           Medium\n        them, including testing of security\n        policies and procedures.\n        Management ensures that corrective\n      8                                                  1           1             High\n        actions are effectively implemented.\n        Security employees have adequate\n      9                                                  3           3             High\n        security training and expertise.\n        Hiring, transfer, termination, and\n     10                                                  3           3             High\n        performance policies address security.\n        Employee background checks are\n     11                                                  4           4           Medium\n        performed.\n         Total                                          16\n\x0c                                                                                     APPENDIX B\n                                                                                       Page 5 of 6\n\nSECURITY AWARENESS TRAINING\n\nThe Medicare contractor information security program evaluations assessed six subcategories\nrelated to security awareness training. The evaluation reports identified a total of 10 gaps in this\nFISMA control area. The six subcategories in Table 4 are listed based on their order of\npresentation in the NIST SP 800-50, \xe2\x80\x9cBuilding an Information Technology Security Awareness\nand Training Program,\xe2\x80\x9d the source of criteria in this area.\n\n                         Table 4: Security Awareness Training Gaps\n\n                                                        No.    No. of    Subcategory\n                                                         of  Contractors   Impact\n                          Subcategory                   Gaps  Affected      Level\n          Employees have received a copy of or\n      1   have easy access to agency security             0           0            Medium\n          procedures and policies.\n          Employees have received a copy of the\n      2                                                   5           5            Medium\n          Rules of Behavior.\n          Systematic methods are used to make\n      3   employees aware of security, e.g., posters      0           0            Medium\n          or booklets.\n          Security professionals have received\n          specific training for their job\n          responsibilities, and the type and\n      4                                                   2           2            Medium\n          frequency of application-specific training\n          provided to employees and contractor\n          personnel are documented and tracked.\n          Employee training and professional\n      5   development have been documented and            0           0            Medium\n          formally monitored.\n          Annual refresher training for security is\n      6                                                   3           3             High\n          mandatory.\n            Total                                        10\n\x0c                                                                                    APPENDIX B\n                                                                                      Page 6 of 6\n\nPOLICIES AND PROCEDURES TO REDUCE RISK\n\nThe Medicare contractor information security program evaluations assessed six subcategories\nrelated to policies and procedures to reduce risk. The evaluation reports identified a total of nine\ngaps in this FISMA control area. The six subcategories in Table 5 are listed based on their order\nof presentation in the NIST SP 800-30, \xe2\x80\x9cRisk Management Guide for Information Technology\nSystems,\xe2\x80\x9d the source of criteria in this area.\n\n             Table 5: Gaps Related to Policies and Procedures To Reduce Risk\n\n                                                       No.    No. of    Subcategory\n                                                        of  Contractors   Impact\n                          Subcategory                  Gaps  Affected      Level\n           Management activities include security\n           controls in the costs of developing new\n           systems as part of the system\n       1                                                 0           0             High\n           development life cycle. Procedures for\n           software changes include steps to\n           control the changes.\n           Security policies and procedures\n           include controls to address platform\n       2                                                 5           5           Medium\n           security configurations and patch\n           management.\n           Systems security controls have been\n           tested and evaluated. The\n       3                                                 2           2             High\n           system/network boundaries have been\n           subjected to periodic reviews/audits.\n           Management has performed\n           accreditations and certifications of\n       4   major systems in accordance with              0           0             High\n           FISMA policies, including security\n           controls testing and documentation.\n           Documentation exists that outlines\n       5   reducing the risk exposure identified in      2           2             High\n           periodic risk assessments.\n           Gaps in compliance exist based on a\n           comparison of management\xe2\x80\x99s\n       6                                                 0           0             High\n           compliance checklist and CMS\xe2\x80\x99s core\n           security requirements.\n            Total                                        9\n\x0c                                                                                           APPENDIX C\n\n\n                           LIST OF GAPS BY SECURITY CONTROL AREA\n                                      AND DATA CENTER\n\n                                                                                                         Total\n                                                                                                         Data\n                                                                                                        Centers\n                                                                                                         With\n    Control        Risk                             Data Center                                Total    Gaps in\n     Area          Level    1   2   3   4   5   6     7    8      9   10   11   12   13   14   Gaps    This Area\n                   High     0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\n Configuration    Medium    1   1   1   0   0   2     0    0      0   0    0    0    0    0     5          4\n Management        Low      0   1   0   1   0   0     0    0      0   0    0    0    0    0     2          2\n                  TOTAL     1   2   1   1   0   2     0    0      0    0    0    0   0    0      7         5\n                   High     0   0   2   0   0   0     0    0      0   0    0    0    0    0     2          1\n Contingency      Medium    0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\n  Planning         Low      0   0   0   0   1   0     0    0      0   0    0    0    0    0     1          1\n                  TOTAL     0   0   2   0   1   0     0    0      0    0    0   0    0    0     3          2\n                   High     0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\n System and\n                  Medium    0   0   0   0   0   0     1    0      0   0    0    0    0    0     1          1\n Information\n                   Low      0   0   0   1   0   0     0    0      1   0    0    0    0    0     2          2\n   Integrity\n                  TOTAL     0   0   0   1   0   0     1    0      1    0    0    0    0   0      3         3\n                   High     0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\n                  Medium    0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\nAccess Control\n                   Low      2   0   0   0   0   0     0    0      0   0    0    0    0    0     2          1\n                  TOTAL     2   0   0   0   0   0     0    0      0    0    0   0    0    0     2          1\n                   High     0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\n   Incident       Medium    2   0   0   0   0   0     0    0      0   0    0    0    0    0     2          1\n   Response        Low      0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\n                  TOTAL     2   0   0   0   0   0     0    0      0    0    0   0    0    0     2          1\n                   High     0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\n    Media         Medium    0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\n  Protection       Low      0   0   0   0   1   0     0    1      0   0    0    0    0    0     2          2\n                  TOTAL     0   0   0   0   1   0     0    1      0    0    0    0   0    0      2         2\n                   High     0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\n   Security       Medium    0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\n   Planning        Low      0   1   0   0   1   0     0    0      0   0    0    0    0    0     2          2\n                  TOTAL     0   1   0   0   1   0     0    0      0    0    0   0    0    0     2          2\n                   High     0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\n  Audit and       Medium    0   0   0   1   0   0     0    0      0   0    0    0    0    0     1          1\nAccountability     Low      0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\n                  TOTAL     0   0   0   1   0   0     0    0      0    0    0   0    0    0     1          1\n Certification,    High     0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\n Accreditation,   Medium    0   1   0   0   0   0     0    0      0   0    0    0    0    0     1          1\n and Security      Low      0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\n  Assessments     TOTAL     0   1   0   0   0   0     0    0      0    0    0    0    0    0     1         1\n                   High     0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\n                  Medium    0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\nRisk Assessment\n                   Low      0   0   0   0   0   0     0    0      0   0    0    0    0    0     0          0\n                  TOTAL     0   0   0   0   0   0     0    0      0    0    0   0    0    0     0          0\n                   High     0   0   2   0   0   0     0    0      0   0    0    0    0    0     2          1\n   GRAND          Medium    3   2   1   1   0   2     1    0      0   0    0    0    0    0     10         6\n   TOTAL           Low      2   2   0   2   3   0     0    1      1   0    0    0    0    0     11         6\n                  TOTAL     5   4   3   3   3   2     1    1      1    0    0    0   0    0     23         9\n\x0cAPPENDIX D\n  Page 1 of 5\n\x0cAPPENDIX D\n  Page 2 of 5\n\x0cAPPENDIX D\n  Page 3 of 5\n\x0cAPPENDIX D\n  Page 4 of 5\n\x0cAPPENDIX D\n  Page 5 of 5\n\x0c'